Scheme #2: The Widget Warrior
Facebook is famous for its widgets--you know, the third-party applications that you can add onto your account. Sometimes, though, widgets turn into warriors with a single mission: stealing your data.
The first rogue widget reared its head in 2008, when researchers realized that a program called Secret Crush had anything but sweet intentions. The application, which was supposed to help you find your virtual admirers, instead installed spyware onto your computer.
Even worse, it encouraged you to spread the love by getting other friends on-board--essentially "manipulating humans to pass it along on their own," says Guillaume Lovet, senior manager of Fortinet's Threat Response Team.
Secret Crush has since been crippled, but the potential for similar threats still exists. Just days ago, security experts determined that an application called Error Check System was sending out misleading notifcation messages.
Sophos' Cluley blogged that the typical warning read: "[Name] has faces some errors when checking your profile View The Errors Message." Cluley went on to say "Of course there was nothing really wrong with the recipient's profiles..."
He also told his readers: "This is an important reminder to all Facebook users that they must exercise caution about which third-party applications they install on their profile, and everyone should remember that Facebook does not approve applications before they are made available o their site. You really are putting your trust in complet strangers when you add that next application to your Facebook profile."
A few months earlier, researchers from Greece's Institute of Computer Science uploaded a malicious app to Facebook as an experiment (PDF). The team was able to configure the widget, which posed as a "Photo of the Day" displayer, to utilize its users' Internet connections for denial-of-service attacks.
The Protection: Use extra caution when installing third-party applications. "When you accept to install one, malicious or not, you are granting its author access to all the info in your profile," Lovet says. Make sure you know what the app's creator will do with it.
Scheme #3: The Koobface Virus
Don't be fooled by the name--there's little to laugh about when it comes to the quickly spreading Koobface virus. (The word, by the way, is an anagram of "Facebook.") Once the virus infects your PC, it starts sending messages or wall postings to your Facebook friends, directing them to a "hilarious video" or some "scandalous photos" of someone you both know.
"The link promises an enticing video, but when the user clicks, he is presented with a Web page with a fake Adobe Flash update or a fake codec that needs to be downloaded," explains Ryan Naraine, a security evangelist with Kaspersky Lab. "That download is malware."
The Protection: Antivirus software can help keep you safe, but some common sense can also go a long way. "Be wary of any kind of direct URL in messages or postings," advises Jamz Yaneza, a threat research manager with Trend Micro. If a site asks you to download a software update, Yaneza says, click Cancel and go directly to the vendor's page to see if the update is legit.
Scheme #4: The Phishing Pond
Phishing, a favorite hacker tactic, has found new life at social networking sites. Scammers trick users into following links that open official-looking Facebook log-in prompts. If you enter your user name and password, the information is logged--and your account is theirs.
Brandon Donaldson, a pastor at the Lifechurch.tv Internet Campus, fell for one of these. Someone gained control of his Facebook account and started sending messages to his friends and followers, trying to persuade them to follow the same links and unwittingly give up their accounts, too.
"This was a pretty bad ordeal, since I regularly put video content up on the Web, and I use the Internet as a tool for many relationships," Donaldson says. "You build a certain social trust in these spaces, and you want to keep that trust without these kinds of incidents."
The Protection: The previous plan also applies here: Watch where you click. Plus, if you're ever asked for your password midsession, don't enter it. Manually navigate back to the Facebook.com home page instead, and then log in there if need be.
Next: Fake Facebook Communities, Web of Trust